Role of Distribution Switch

Similar Messages

• Failed to get the Availability State on server Distriubtionpoint1 for role SMS Distribution Point

  Distriubtionpoint1-- Server share distribution point
  Distriubtionpoint1-- Acting as site system role (DP)
  Distriubtionpoint1--attached under the primary PR0 (Primary server0)
  Primary server0-- reporting to CS0 (central site 0)
  Distriubtionpoint1-- Windows 2008 sp1 r2 standard
  Infrastructure details:-
  =============
  Distriubtionpoint1 located in different domain with one way trust.
  1) Check ping status with FQDN from both domain and it is success.
  2) Check port 135, 445, 80,443 through telnet from both domain and success.
  3) Primary Server0 account is member of the local admin group on Distriubtionpoint1.
  4) Check the PR0-SCCM-DP$ folder NTFS & Share permission
  Share permission
  a) everyone & local admin group has full control
  Security permission
  a) System has full permission
  b) user has read & exec
  4) Local admin full
  Sitestat.log error message:
  ---->: Failed to get the Availability State on server
  Distriubtionpoint1 for role SMS Distribution Point. SMS_SITE_SYSTEM_STATUS_SUMMARIZER 4/22/2014 9:00:15 PM 952 (0x03B8)
  ---->: Now polling via NAL for SiteObject "["Display=\\Distriubtionpoint1\PR0-SCCM-DP$\"]MSWNET:["SMS_SITE=PR0"]\\Distriubtionpoint1\PR0-SCCM-DP$\" SMS_SITE_SYSTEM_STATUS_SUMMARIZER
  4/22/2014 9:00:15 PM 952 (0x03B8)
  for ["Display=\\Distriubtionpoint1\PR0-SCCM-DP$\"]MSWNET:["SMS_SITE=PR0"]\\Distriubtionpoint1\PR0-SCCM-DP$\, no connection account is available SMS_SITE_SYSTEM_STATUS_SUMMARIZER
  4/22/2014 9:00:15 PM 952 (0x03B8)
  ---->: The NAL path ["Display=\\Distriubtionpoint1\PR0-SCCM-DP$\"]MSWNET:["SMS_SITE=PR0"]\\Distriubtionpoint1\PR0-SCCM-DP$\ is currently not accessible. SMS_SITE_SYSTEM_STATUS_SUMMARIZER
  4/22/2014 9:00:18 PM 952 (0x03B8)
  Info>: Unable to get available space for the Site Object ["Display=\\Distriubtionpoint1\PR0-SCCM-DP$\"]MSWNET:["SMS_SITE=PR0"]\\Distriubtionpoint1\PR0-SCCM-DP$\ SMS_SITE_SYSTEM_STATUS_SUMMARIZER
  4/22/2014 9:00:18 PM 952 (0x03B8)
  STATMSG: ID=4701 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_SITE_SYSTEM_STATUS_SUMMARIZER" SYS=Distriubtionpoint1 SITE=PR0 PID=4112 TID=952 GMTDATE=Wed Apr 23 01:00:18.002
  2014 ISTR0="\\Distriubtionpoint1\PR0-SCCM-DP$" ISTR1="\\Distriubtionpoint1\PR0-SCCM-DP$" ISTR2="2014 04 4 17 04 31 31 000" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8=""
  ISTR9="" NUMATTRS=0 SMS_SITE_SYSTEM_STATUS_SUMMARIZER 4/22/2014 9:00:18 PM 952 (0x03B8)
  for ["Display=\\Distriubtionpoint1\PR0-SCCM-DP$\"]MSWNET:["SMS_SITE=PR0"]\\Distriubtionpoint1\PR0-SCCM-DP$\, no connection account is available SMS_SITE_SYSTEM_STATUS_SUMMARIZER
  4/22/2014 9:00:18 PM 952 (0x03B8)
  ---->: GetOperationsManagementData failed to connect to ["Display=\\Distriubtionpoint1\PR0-SCCM-DP$\"]MSWNET:["SMS_SITE=PR0"]\\Distriubtionpoint1\PR0-SCCM-DP$\; error
  = 5. SMS_SITE_SYSTEM_STATUS_SUMMARIZER 4/22/2014 9:00:20 PM 952 (0x03B8)

  I have tried to access the server share DP from the primary server by using my user
  credential. Yes I can able to access the share.
  But when I use the system credential to access the share received an error message as shown in below screenshot
  Hence i have provided the share and ntfs permission administrators, system, everyone,
  primary server account with full control on both tab. but still i am receiving error message.
  :\temp>whoami
  US\prasath
  c:\temp>dir \\PrimaryServer1\SCCM-DP$
  Volume in drive \\PrimaryServer1\SCCM-DP$ is Data
  Volume Serial Number is 22F0-661B
  Directory of \\PrimaryServer1\SCCM-DP$03/17/2014
  03:33 PM <DIR> .03/17/2014 03:33 PM <DIR> .
  04/01/2014 08:04 AM <DIR> SMSPKG
  0 File(s) 0 bytes
  3 Dir(s) 514,625,064,960 bytes free
  ===========================================
  C:\Windows\system32>whoami
  nt authority\system
  C:\Windows\system32>dir
  \\PrimaryServer1\SCCM-DP$
  Access is denied.

• N7k as redundant core with vpc to 4510/3750 as distribution switch

  Hi - basic question here
  Got 2 qty N7k as redundant core with vpc to 4510 and 3750 as redundand distribution switch running MST. I got stuck with some bad cabling design from our IDF to Datacenter so have 2 access switch whereby each one will have a etherchannel to both distribution 4510 and 3750. My question is this is  a doable design as I am not sure about the vpc upstream on how it effects etherchannel with MST for my distribution and access.
  Thanks

  vPC will be considered as one logical link by both upstream and downstream connected devices
  the question here are you going to run L3 between the distribution and Core devices ? (  this is recommended design ) if yes, then you do not need to worry about MST and VPC if you going to have it L3 from distribution devices up to the Core
  one thing to consider is the distribution switch in your design has big difference in terms of backplane throughput i mean between the 4500 and 3750 !
  if you can have both as 4500 will be better and more consistent design
  Good luck
  if helpful Rate

• Sinkhole routing rfc1918 on the core/distribution switch (6500)

  Hi guys,
  I am planning on getting rid of packets going to unrouted nonexistent rfc1918 networks in our DC environment going into internet facing firewall from our core/distribution switch via default route. I am thinking on setting a bunch of rfc1918 static routes to Null0 on the core/distro switches so they will kill all the packets destined to unused rfc1918 networks into Null0. Wondering if that would be a good solution to this.
  Thanks!

  I am not sure quite what you have in mind when you talk about a bunch of rfc1918 static routes. I could see doing a route for 10.0.0.0 range, for 172.16.0.0 range, and for 192.168.0.0 range. Is 3 a bunch? If you had more in mind what would they be?
  If you do static routes to Null0 for the summarized spaces then it would allow routing to any private addresses used inside your network to work since they should have more specific entries in your routing table and it would discard traffic with destination addresses in private address space. Be aware that if you have any site to site VPN tunnels from the firewall or any address translations on the firewall that use private addresses that your plan may very well have negative consequences for them.
  HTH
  Rick

• Redundant up-links distribution switches

  I am trying to understand some basic math involved in calculating redundant up-links for access switches to distribution switches. The ICND1 depicts a diagram showing 40 access switches with 2 distribution switches with 4 up-links to each of 40 access switches resulting in 160 links.
  It then goes on to say that If the design instead did not use distribution switches, to connect a single link between each pair of access switches would
  require 780 links.
  How was 780 calculated exactly?

  Hi,
  The 780 is calculated as (40 * 39) / 2.
  In general, this is a question asking about the number of links needed to interconnect N nodes with a single direct link between each pair of these devices. The formula is N * (N-1) / 2, and it follows a simple logic that on each of the N nodes, you need to connect N-1 links to reach the remaining devices, and because a link connects a pair of devices, adding each link always "deals with" a pair devices, hence the division by 2.
  Best regards,
  Peter

• For Migration: Staffing of existing Roles with Distribution

  Hi,
  As a part of Migration, we are trying to use a Report for Uploading Staffing data.
  The roles are having Distribution. We are trying to use BUS2177staffingadd BAPI which works only if Start and End dates are same as that of Role.
  We are planning to change the Start and End of Staffing using BUS2177*staffing*change FM
  But we are not able to change as it checks in standard commit class CL_DPR_CHECK.
  Is there any other way to upload staffing data.
  Can we use SET_ADVANCED_DISTRIBUTION method of CL_DPR_BUPA_DISTRIBUTION, if so how.
  Appreciate any inputs on this.
  Regards,
  Niranjan

  Hi,
  Did you get any answers for this? We are also facing problems while using the FM  BAPI_BUS2177_STAFFING_ADD
  When we call  BAPI_CPROJECTS_COMMIT_WORK it returns with an error. When tried to debug, found that system raises an event save_requested and then error occurs.
  Please let us know, if you resolved the issue and could upload staffing data.
  Thanks in advance.

• Role Based Access through business roles? Switch b/w business roles?

  Hey Guruz:
  We have a situation where we want to really chop down on what the user should see in UI.
  What this basically means is that we want to define job based business roles. In essence a user should only see what he is allowed to execute as part of his job function.
  One solution would have been to create 1 business role and control everything through the pfcg role. But, this will be a very unfriendly approach, as the user would never really know what is part of job profile and what not till he clicks on it to find out that it doesnt work and is not authorized for it.
  To avoid the above situation, we want to give managers and users the liberty to pick out their own combination of business roles which suits a users job profile. I know this would mean we might have to create quite a few business roles, but atleast it avoids reduntant access.
  Any thoughts are welcome.
  Questions:
  If a user is assigned multiple business roles how to switch without really logging off?
  Can we have tabs or something on the header or nav bar which allows a user to switch b/w business roles?
  Can the net affect of multiple business roles be combined when assigned to a user ?
  Thanks
  KT

  Hi KT
  The whole concept around assigning a Business Roles is to provide a specific set of functions to a specific user or user group.
  There should not be any reason for a User to log off from one role and then log in with another.
  If for example you want a user to have some Sales Professional access as well as some Service Professional access then you would copy Sales Professional Role to you own custom role, remove the Sales Professional attributes that you do not want, then add in the required Service Professional attirbutes required.
  The WEB UI views can then be configured for that particular Custom role you have created.
  Hope this helps
  Arden

• NAC 4.7 "CAS unavailable" temporary role

  I have a VGW, OOB with layer 3 enabled pilot deployment right now. Everything looks fine. However, about
  30% of the time (and its increasing) when I log on using the 4.7 agent, the agent will give me the error that the cas is unavialbe on the network. When I check the CAM, the user can be viewed on the monitoring tab, in-band and placed in the temporary role. (highlighted quarantined)
  When i kick the user, more often than not , the user can log back in and it places him in the oob role that he is assigned to and all works fine.
  core switch -----------cas/cam
       |
  distribution switch
       |
  End user switch---------end user pc
  Any ideas as to why when placed in the temp role transitioning to the authenticated role it would lose contact???? and why would it be placed in the in-band section of the monitoring online users?

  the cn name on the cas was indeed wrong. the IP address was that of the CAM.
  However, that still hasnt fully fixed the problem.
  I took all the checks away from the auth role assigned and it seems to fix the problem.
  Yes, Faisal all the end points are Layer 2, no hops in between. I have a 6509E as the core switch. Each vlan on the switch, apart from the Auth vlans have a SVI.
  ie. on the core switch
  interface GigabitEthernet2/28
  description trusted
  no ip address
  switchport
  switchport trunk native vlan 997
  switchport trunk allowed vlan 5,100,110,120,130,140,150,160,250,298 >>>Access Vlans
  switchport mode trunk
  interface GigabitEthernet2/29
  description untrusted
  no ip address
  switchport
  switchport trunk native vlan 996
  switchport trunk allowed vlan 9,10,20,30,40,50,60,400 >>>> Auth Vlans
  switchport mode trunk
  Example SVI for access VLANS
  interface Vlan110
  description StaffLowerPT
  ip address 1.1.1.1 255.255.255.0
  ip helper-address 1.1.1.4
  ip pim sparse-dense-mode
  ipx network 8
  no SVI's for auth vlans.
  I remember reading somewhere that if no checks are done (ie if the agent is not running any rules on it) then it moves straight from authenitcation (phase1) to authenticated role (phase 3) without ever hitting the temp user role. Could it be that a rule would cause the CAS to become unavailable if it could not remediate?
  I have a AV check rule, and two sus/WSUS rules.

• Bandwidth from Access Layer to Distribution Layer

  Folks:
  I am currently on Chapter 12 of “CCNP Switching 642-813, Official Certification Guide” ISBN: 978-1-58720-243-8. I am currently not grasping the three layers entirely, and I was hoping someone could offer insight in a different way.
  I believe I understand, that switches in the Access-Layer can be layer2 devices (2950, etc), and devices in the Distribution Layer should be Multilayer devices such as Layer-3 switches (3750) and inter-vlan routing takes place at the Distribution layer. But what I do not understand – how does one account for bandwidth and traffic from the Access Layer switches to the Distribution Switches?
  Let use a 24 port 2950 switch located at the Access-Layer. If everyone was online and communicating, the total traffic for the switch would be 4.8 Gbps. The latter is due to each port providing 100 Mbps but in Full-Duplex, so (100*2)*24. So, how does an engineer spec out the required uplink ports from the Access Layer to the Distribution?
  I am sure this is easy; however, I am not getting the concepts. Any insight is great.

  Disclaimer
  The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
  Liability Disclaimer
  In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
  Posting
  As noted by Peter, edge hosts don't generally all concurrently push/pull their full port bandwidth for substained periods.  However, host bandwidth usage often varies much by "kind" of host.  For example, many server hosts are "busier" than most user hosts, so when designing networks you normally design for lower oversubscription ratios for server hosts than for user hosts.  Old rule-of-thumbs ratios suggest oversubscription ratios of about 8:1 to 4:1 for servers, and about 48:1 to 24:1 for users.
  Keep in mind that oversubscription ratios can be "skewed" by what the host is doing, i.e. not all server or user hosts have similar bandwidth demands.  For example, your primary mail server or primary file server might be much "busier" than other server hosts.  Likewise, some user hosts might be much "busier", for example, years ago I supported a LAN segment of CADD (20) workstations which had more traffic on their local LAN than the (2,000 user) corporate backbone.

• How to span vlans across core layer in core/distribution/access campus design?

  Hi,
  I studied Cisco Borderless Campus Design Guide 1.0 (http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Campus/Borderless_Campus_Network_1-0/Borderless_Campus_1-0_Design_Guide.html) last week because we plan to redesign our campus backbone to a three tier Core/Distribution/Access Design.
  Today we use a collapsed backbone where a lot of vlans are spanned across the backbone because they are needed in different buildings.
  Could anybody give me a hint how Cisco recommends to deal with that kind of vlans in the multi-tier design?
  In my eyes between core and distribution layer there is only routing functionality and no l2 transport of vlans.
  So using the same vlan in different buildings seems not to be supported?
  Best Regards,
  Thorsten

  Thorsten
  Just to add to Joseph's post.
  It is quite common for a vlan to be spanned when it doesn't actually need to be ie. the network has evolved that way.
  Most things do not need L2 adjacency, they can happily use L3. Servers sometimes do but in the campus design your servers are usually located in one site so you don't need to extend vlans to other sites in your campus.
  Not suggesting this is the case for you but it may be worth checking whether you really do. (apologies if you already have)
  As Joseph mentioned you really want to avoid it if at all possible ie. ideally all connections to the core switches are L3 ie. no need for vlans at all in the core.
  If you need to extend a few vlans then you can do this but still route for all other vlans ie. you would configure your distribution to core connections as trunks and then allow the vlans you need to extend plus one other vlan, unique per distribution pair, to route all other vlans. So per site your distribution switches route all vlans except the extended vlans and of they need to route to a vlan in another site they use that unique vlan.
  But this is not ideal because you then need to extend certain vlans across the core and because you are using L2 connections STP could come into it although that does depend on your core switch selection eg. 4500/6500 VSS etc. would alleviate this.
  There are ways to extend vlans across a L3 network but the solutions available are very much dependant on the kit you use and their capabilities so if you do need multiple vlans in multiple sites but still want to keep a L3 core you may want to investigate some of those before purchasing kit (unless of course you have already purchased it).
  What you do really depends on just how many vlans you actually need to extend between sites.
  Jon

• Can't change role

  Hi all !
  I have 2 same roles in quality and production system.
  When i go in pfcg or suim to change role (F6) i can't delete or add transaction.
  I can't change this role in production and quality system.
  In quality system this role have distribution to production system.
  Maybe a problem because of  this?
  How i can delete distribution?
  How fix this problem?
  Thx.

  Hi,
  Welcome you post here.
  However, your question seems not related to SAP Business One System Administration. Please close your thread and post it on a proper forum.
  Thanks,
  Gordon

• Transport roles and analysis authorization with user assigned

  Hi expert,
  I face with this problem transport roles and analysis authorization with user assigned. When I have created a transport request to move the roles and analysis authorization from development system to test system. I couldnu2019t maintain the user assigned, after transport I have to assigned manually all of user or create a program to fill AGR_USER table or there are other way.
  Thanks for your time,
  Luis

  Hi,
  In role administration, you have the following options for transporting roles:
  You can download the roles from one system and upload them into another  
  You can import the role from a remote system using RFC  
  You can transport the roles with the transport function.
  Role upload loads all role data, including authorization data from a file into the SAP system. The user assignments for the role and the generated profiles for the role are exceptions in this case.
  Transporting Roles with the Role Transport Function
         1.      Start the role administration function by choosing Tools ® Administration ® User Maintenance ® Role Administration ® Roles (transaction PFCG).
         2.      Enter the role to be transported and choose Transport Role.
  The Mass Transport of Roles screen appears. You can control the default settings for the options Also transport single roles for composite roles and Also transport generated profiles for roles using Customizing switches (see Role Administration Functions in the section Functions of the Utilities Menu).
  You should not change the authorizations profiles of the role after you have included the role in a transport request. If you need to change the profiles or generate them for the first time, transport the entire role again afterwards.
  For more information go thrpugh the below link
  http://help.sap.com/saphelp_nw70/helpdata/EN/6d/7c8cfd410ea040aadf92e1f78107a4/content.htm
  Regards,
  Marasa.

• Distribution point not installing

  I'm having some issues with a new Distribution point. This is my first Server 2012 R2 distribution point and after installing the roles and features (I believe are required) the distribution point does not install. I can't see anything on the distribution
  point, nor can I see any configuration on the SCCM console. It displays as a site system with a role of Distribution point but distmgr.log does not display any activity except
  Successfully modified DP ["Display=\\DP02.Domain.net\"]MSWNET:["SMS_SITE=CTG"]\\DP02.Domain.net\ Drizzle Role to 1 SMS_DISTRIBUTION_MANAGER 13/08/2014 11:20:13 5096 (0x13E8)
  ConfigureDP SMS_DISTRIBUTION_MANAGER 13/08/2014 11:20:13 5096 (0x13E8)
  IISPortsList in the SCF is "80,80". SMS_DISTRIBUTION_MANAGER 13/08/2014 11:20:13 5096 (0x13E8)
  IISSSLPortsList in the SCF is "443,443". SMS_DISTRIBUTION_MANAGER 13/08/2014 11:20:13 5096 (0x13E8)
  IISWebSiteName in the SCF is "". SMS_DISTRIBUTION_MANAGER 13/08/2014 11:20:13 5096 (0x13E8)
  IISSSLState in the SCF is 480. SMS_DISTRIBUTION_MANAGER 13/08/2014 11:20:13 5096 (0x13E8)
  DP registry settings have been successfully updated on SECROWFIL03.sec.ssegroup.net SMS_DISTRIBUTION_MANAGER 13/08/2014 11:20:42 5096 (0x13E8)
  STATMSG: ID=9501 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=\\MP01.Domain.net SITE=CTG PID=5580 TID=5096 GMTDATE=Wed Aug 13 10:20:42.786 2014 ISTR0="["Display=\\DP02.Domain.net\"]MSWNET:["SMS_SITE=CTG"]\\DP02.Domain.net\"
  ISTR1="" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=404 AVAL0="["Display=\\DP02.Domain.net\"]MSWNET:["SMS_SITE=CTG"]\\DP02.Domain.net\" SMS_DISTRIBUTION_MANAGER 13/08/2014
  11:20:42 5096 (0x13E8)
  STATMSG: ID=9503 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=\\MP01.Domain.net SITE=CTG PID=5580 TID=5096 GMTDATE=Wed Aug 13 10:20:42.788 2014 ISTR0="["Display=\\DP02.Domain.net\"]MSWNET:["SMS_SITE=CTG"]\\DP02.Domain.net\"
  ISTR1="" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=404 AVAL0="["Display=\\DP02.Domain.net\"]MSWNET:["SMS_SITE=CTG"]\\DP02.Domain.net\" SMS_DISTRIBUTION_MANAGER 13/08/2014
  11:20:42 5096 (0x13E8)
  ConfigurePXE SMS_DISTRIBUTION_MANAGER 13/08/2014 11:20:42 5096 (0x13E8)
  Translated server name SECROWFIL03.sec.ssegroup.net to sec.ssegroup.net\SECROWFIL03.sec.ssegroup.net. SMS_DISTRIBUTION_MANAGER 13/08/2014 11:20:43 5096 (0x13E8)
  CWmi::Connect() failed to connect to
  \\DP02.Domain.net\root\SCCMDP. Error = 0x800706BA SMS_DISTRIBUTION_MANAGER 13/08/2014 11:20:44 5096 (0x13E8)
  STATMSG: ID=2391 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=\\MP01.Domain.net SITE=CTG PID=5580 TID=5096 GMTDATE=Wed Aug 13 10:20:44.002 2014 ISTR0="["Display=\\DP02.Domain.net\"]MSWNET:["SMS_SITE=CTG"]\\DP02.Domain.net\"
  ISTR1="" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=404 AVAL0="["Display=\\DP02.Domain.net\"]MSWNET:["SMS_SITE=CTG"]\\DP02.Domain.net\" SMS_DISTRIBUTION_MANAGER 13/08/2014
  11:20:44 5096 (0x13E8)
  Failed to connect to DP WMI provider SMS_DISTRIBUTION_MANAGER 13/08/2014 11:20:44 5096 (0x13E8)
  CDistributionManager::ConfigurePXE failed; 0x800706ba SMS_DISTRIBUTION_MANAGER 13/08/2014 11:20:44 5096 (0x13E8)
  Any Ideas?
  If anyone has the list of Operating system requirements for a DP running on Server 2012R2 it would be appreciated also.

  I've just tried to reach the admin$ from a remote PC and (from the local server) using PSexec and I can read the admin$ directory without any issues so there is access to the remote DP. I haven't yet looked at the firewall logs but only because
  the firewall ports are already allowing traffic to our other DP's.
  do the firewall rules differ from server 2008, 2012 and 2012R2? (I have previous 2008 and 2012 servers but this is the first R2 server we are setting up as a DP.)
  The firewall rules are the same for 2k8 and 2k12.
  When you reach the admin$ share are you using Psexec as the system account and not your use account ? (-i -s as Torsten mentionned) ?
  Do you have any other firewall maybe between the machine and the site Server ?
  Do you have the SCCMContentLib folder created on the DP ? (On the drive specified in the wizard).
  Benoit Lecours | Blog: System Center Dudes

• LAN design - how to implement a core switch?

  Hi all,
  First post here so please be gentle :-)
  I'm looking for a bit of advice with a LAN setup I've been tasked with.
  The basic requirements are to have a demonstration suite of servers/storage devices networked with internet access with certain devices segmented in different VLANs. Also, a separate VLAN is required for training and meeting rooms which will receive DHCP addresses from a WIN2K3 server.
  The kit I've inherited consists of:
  1 ADSL Modem/Router
  1 2611XM router
  2 Catalyst 4006 switches with Supervisor II engines (CatOS :-( ), one with a layer 3 routing module
  Several Catalyst 2950/3500xl switches
  Netscreen 100 Firewall
  F5 Firepass for VPN
  After a lot of fun resetting devices I've currently setup the LAN with a router on a stick configuration which routes between different VLANs (on the 3500/2950s) and which has internet access via the 2611 and ADSL modem router in turn. That's about as far as my current knowledge goes I'm afraid!
  What I have to do is incorporate the 4006s but I don't really know how to go about it or what's the best way to use them. How would I use them as core switches?
  I was hoping someone could point me in the right direction on the best way to connect the switches up, i.e. network design, cabling (fibre uplinks between switches) and some basic configuration advice with the layer 3 routing module.
  Any advice will be most appreciated!! It's my first networking job and I'm a bit lost.
  Thanks.

  Peter,
  I would do the same - with a twist...
  Have 1 4006 as a VTP server, also the spanningtree root for all vlans.
  Have a trunk between the two 4006's - and make it an etherchannel 2 or 3 ethernet links (redundancy).
  Make the second 4006 also a vtp server (redundancy) and have that 4006 the secondary 4006 for spanningtree (more redundancy!)
  That way if you decide to have a distribution layer - you have 2 uplinks into the core 1 into 4006-1 as the primary, and the second 4006-2 as the secondary.
  You could then have a trunk (etherchannel) between the distribution switches, then have a access layer into the distribution layer with duel links. This way you could have multiple switch and or link failures and still work!!!
  You use the layer 3 module to do the inter-vlan routing - correct. Then have your adsl modem/router as the gateway to the internet - you put a default route in the layer 3 module point to the adsl modem! then you have the routes for the various vlan subnets pointing from the modem back to the layer 3 module......done!
  HTH.

• Vlan hopping issue btw 2950 (Access) & Cat 6K (Distribution)

  Cat 6K is the Distribution Switch & 2950 is the Access Switch
  Cat 6K int Gig 8/16 --- 2950 Fa 0/1
  Cat 6K's Gig 8/16 is configured as Access port for Vlan 212 (10.106.167.0/24)
  2950 has all its ports in Vlan 1. So, all frames from 2950 is sent untagged to Cat 6K which then tags them as Vlan 212. [Don't ask me why, but this is how they do it in our labs]
  The problem here is, hosts configured in one other Vlan i.e. Vlan 244 (10.106.238.0/24) when connected to the 2950 Access Switch, can ping its Gateway 10.106.238.1.
  Can someone explain why/how this is happening?

  Hi @rmysored,
  The fact that all frames from 2950 are sent untagged to Cat 6K and then Cat 6K tags them as VLAN 212 is because the port Gi8/16 is an access port. Take the following example (Please, see the attached figure first):
   - I have Sw1, Sw2 and PC1
   - Sw1 and Sw2 are connected via a trunk port (passing all the VLANs by default)
   - Sw2 is connecting PC1 via an access port in VLAN 10
  When PC1 is sending frames to Sw2 it sends it untagged because PCs don't recognize tags and tipically they don't know in what VLAN they are
  But when Sw2 is sending those frames (from PC1) to Sw1, Sw2 tags those frames as part of VLAN 10 because Sw2 is passing more VLANs to Sw1 via the trunk link and it has to recognize where the frames belongs to when they return back
  In your case, Cat 6K is tagging the frames coming from the 2950 as part of VLAN 212 because its port facing the 2950 (an access port) is configured as part of that VLAN.
  In the other hand, can you share the configurations of the Cat6K and 2950 for deeper investigations?
  Hope to see your answers.
  Rgrds,
  Martin, IT Specialist